UmrahManager

Legal

Data Processing Agreement

Last updated: May 7, 2026

Note: the official Data Processing Agreement (DPA) is being drawn up by a Dutch privacy lawyer. Below is the summary with the most important arrangements — the full PDF version is sent on request and is automatically available to every paying customer.

This English text is a convenience translation. In case of any difference, the Dutch version prevails.

Who is who?

The agency = data controller. Determines what the data is used for.

UmrahManager = processor. Processes data solely on the agency's instructions, in accordance with this agreement.

Which data do we process on your behalf?

  • Name, contact details and date of birth of pilgrims
  • Passport scans, passport number and expiry date
  • Visa status and associated documents
  • Flight and hotel bookings, room allocation
  • Payment status (no payment card numbers — that runs via Mollie / iDEAL at the bank)
  • Communication preferences, intake answers, dietary and room requests

Where is the data stored?

Database in Frankfurt (Supabase, EU). Email delivery via Resend (eu-west-1). Files in encrypted EU cloud storage. No data leaves the EU.

Sub-processors

We work with the following sub-processors:

  • Supabase Inc. — database & storage (EU region)
  • Resend — email delivery (EU region)
  • Netlify — hosting & functions (EU edge)
  • Anthropic — AI text generation (only at the agency's request, no customer data)
  • Google Cloud Vision — passport OCR (only at the moment of upload, no permanent storage)
  • Sentry — error monitoring (EU region, no customer data, only technical errors)

When sub-processors change, we inform you at least 30 days in advance by email.

Security measures

  • TLS encryption for all connections
  • At-rest encryption on database and files
  • Per-agency data isolation via row-level security
  • Audit log on sensitive actions (deleting, exporting, payments)
  • Daily backups with 7-day retention
  • Strong passwords + login via email link
  • 2FA available for staff accounts (optional on Pro/Scale, mandatory on Enterprise)

Data breach procedure

In the event of a (suspected) data breach we inform the agency within 24 hours by email + WhatsApp, with details of what is known, which data could be involved, and what is being done about it. The agency itself is responsible for notifying its own customers and the Dutch Data Protection Authority, where applicable.

On termination

On cancellation we export all agency data in a readable format (Excel/JSON). After that all data is permanently deleted within 90 days, including from backups (once they rotate out of retention).

Need the DPA PDF for your records? Send a message via WhatsApp or email info@umrahmanager.app — and I'll send it the same day.

← Back to homepage